feat(neptune): enable sunshine game/desktop streaming

[johnae]

No description provided.

[claude]

Claude finished @johnae's task —— View job

---

Pull Request Review: Enable Sunshine Game/Desktop Streaming

Review Checklist

• Read the modified neptune.nix file to understand changes
• Review code quality and NixOS best practices
• Check for potential bugs or configuration issues
• Assess security implications
• Consider performance impact
• Evaluate test coverage needs
• Provide comprehensive review feedback

Summary of Changes

This PR adds Sunshine (game/desktop streaming server) configuration to the neptune NixOS system and includes:

1. Enabling the Sunshine service with specific configuration
2. Adding required user groups (render, video, uinput) for GPU/input device access
3. Commenting out the restic-backup profile (appears unrelated to Sunshine)

Review Feedback

✅ Code Quality & Best Practices

• Good: Clean NixOS module configuration following standard patterns
• Good: Proper use of service options with explicit configuration
• Good: Groups added correctly using extraGroups for the admin user

⚠️ Security Considerations

1. Network Exposure (openFirewall = true):

   • Opens ports 47984-47990/tcp, 48010/tcp, 47998-48000/udp in the firewall
   • Risk: Exposes the streaming service to the network
   • Recommendation: Consider if this should be limited to specific interfaces or if Tailscale-only access would be more secure

2. Host Binding (services.ollama.host = "0.0.0.0" at line 43):

   • While not part of this PR's changes, I notice Ollama is bound to all interfaces
   • Combined with Sunshine, this increases the attack surface
   • Recommendation: Review if both services need to be network-accessible

3. capSysAdmin = false:

   • Good: Correctly disabled CAP_SYS_ADMIN capability for better security
   • This is the recommended setting unless KMS capture is specifically needed

4. User Permissions:

   • Groups render, video, uinput grant significant hardware access
   • Acceptable: These are required for Sunshine to function properly with GPU acceleration and input device access

🔍 Potential Issues

1. Unrelated Change:

   • Line 30: Commenting out restic-backup.nix appears unrelated to Sunshine
   • The comment suggests missing secrets (restic-env/restic-pw not rekeyed for neptune)
   • Question: Should this be in a separate commit or PR?

2. Missing Configuration:

   • No authentication settings visible (Sunshine typically requires auth configuration)
   • Recommendation: Ensure Sunshine authentication is configured (usually done via web UI on first run)

🚀 Performance Considerations

1. GPU Access: The render and video groups suggest hardware acceleration will be used, which is good for performance
2. Auto-start: autoStart = true means the service runs at boot
   • Consider if this is needed if the system isn't always used for streaming
   • Could impact boot time and resource usage

🧪 Test Coverage

1. Manual Testing Needed:

   • Verify Sunshine web UI is accessible at https://neptune:47990
   • Test streaming functionality with a client (Moonlight)
   • Verify firewall rules are correctly applied
   • Check that the admin user can access necessary devices

2. Automated Testing:

   • Consider adding a NixOS test that verifies:
     • Service starts successfully
     • Ports are open
     • User has correct group memberships

Recommendations

1. Split the restic-backup change into a separate commit or PR for clarity
2. Document the security implications of opening firewall ports (perhaps in the configuration comments)
3. Consider adding a comment explaining why Sunshine is needed on this system
4. Verify authentication will be properly configured before deployment
5. Consider conditional enablement based on whether the system is on a trusted network

Overall Assessment

The implementation is technically correct and follows NixOS best practices. However, the security implications of exposing a streaming service should be carefully considered, especially in combination with the already exposed Ollama service. The unrelated restic-backup change should ideally be separated.

[claude]

Claude finished @johnae's task —— View job

---

Pull Request Review

Review Checklist

• Read the modified neptune.nix file to understand changes
• Review code quality and NixOS best practices
• Check for potential bugs or configuration issues
• Assess security implications
• Consider performance impact
• Evaluate test coverage needs
• Provide comprehensive review feedback

---

Summary of Changes

This PR consists of two commits that modify configurations/nixos/x86_64-linux/neptune.nix:

1. Initial commit (a8e60bf): Added Sunshine game/desktop streaming functionality

   • Enabled the Sunshine service with specific configuration
   • Added user groups (render, video, uinput) for GPU/input device access
   • Commented out the restic-backup profile import

2. Follow-up commit (58bbae2): Re-enabled the restic-backup profile

---

Code Review Feedback

✅ Code Quality & Best Practices

• Clean and idiomatic NixOS module configuration
• Proper use of service options with explicit configuration values
• Correct implementation of user group additions via extraGroups
• Configuration follows NixOS conventions

🔒 Security Concerns

1. Network Exposure (openFirewall = true at line 49):

   • Opens ports 47984-47990/tcp, 48010/tcp, 47998-48000/udp
   • Risk: Exposes streaming service to the entire network
   • Recommendation: Consider restricting access via Tailscale-only or specific network interfaces

2. Service Binding Combination:

   • Ollama is already bound to all interfaces (services.ollama.host = "0.0.0.0" at line 43)
   • Adding Sunshine increases the overall network attack surface
   • Recommendation: Review if both services need unrestricted network access

3. CAP_SYS_ADMIN Disabled (capSysAdmin = false at line 48):

   • ✅ Good security practice - correctly disabled unless KMS capture is required
   • Reduces privilege escalation risks

4. Hardware Access Groups (line 203):

   • Groups render, video, uinput provide significant hardware access
   • Acceptable: Required for GPU acceleration and input device control

⚠️ Potential Issues

1. Authentication Configuration:

   • No explicit authentication settings visible in the configuration
   • Sunshine typically requires authentication setup on first run
   • Action Required: Ensure authentication is configured via web UI after deployment

2. Restic Backup Toggle:

   • The profile was disabled then re-enabled across two commits
   • Original comment indicated "restic-env/restic-pw not rekeyed for neptune"
   • Question: Has the rekeying issue been resolved?

🚀 Performance Considerations

1. Resource Usage:

   • autoStart = true (line 47) means service starts at boot
   • Consider if always-on is necessary vs on-demand activation
   • May impact boot time and idle resource consumption

2. GPU Acceleration:

   • User groups suggest hardware acceleration is properly configured
   • Should provide good streaming performance

🧪 Test Coverage Recommendations

1. Manual Testing Checklist:

   • Verify Sunshine web UI accessibility at https://neptune:47990
   • Test streaming with Moonlight client
   • Confirm firewall rules are correctly applied
   • Verify admin user has required device access
   • Test authentication setup and pairing process

2. Automated Testing Suggestions:

   • Consider adding NixOS tests to verify:
     • Service startup success
     • Port availability
     • User group membership

---

Recommendations

1. Security Hardening: Consider using Tailscale-only access instead of openFirewall = true
2. Documentation: Add comments explaining why Sunshine is needed on this system
3. Authentication: Document the authentication setup process
4. Commit History: The restic-backup toggle could have been squashed or explained better

Overall Assessment

The implementation is technically correct and follows NixOS best practices. The main concern is the security implications of exposing another network service, especially combined with the already exposed Ollama service. Consider whether network-wide access is necessary or if Tailscale-only access would be more appropriate.

Approval Status: ✅ Approved with suggestions - The code is functional and correct, but please consider the security recommendations above.